10.11. 钓鱼攻击(10.11. Phishing Attacks)
10.11. 钓鱼攻击
本协议或类似协议的广泛部署,可能导致最终用户变成习惯于被重定向到要求输入他们的密码的网站的做法。
如果最终用户在输入他们的凭据前不注意辨别这些网站的真伪,这将使攻击者利用这种做法窃取资源所有者的密码成为可能。
服务提供者应尝试教育最终用户有关钓鱼攻击构成的风险,并且应该为最终用户提供使确认它们的站点的真伪变得简单的机制。客户端开发者应该考虑他们如何与用户代理(例如,外部的和嵌入式的)交互的安全启示以及最终用户辨别授权服务器真伪的能力。
为了减小钓鱼攻击的风险,授权服务器必须要求在用于最终用户交互的每个端点上使用TLS。
10.11. Phishing Attacks
Wide deployment of this and similar protocols may cause end-users to
become inured to the practice of being redirected to websites where
they are asked to enter their passwords. If end-users are not
careful to verify the authenticity of these websites before entering
their credentials, it will be possible for attackers to exploit this
practice to steal resource owners' passwords.
Service providers should attempt to educate end-users about the risks
phishing attacks pose and should provide mechanisms that make it easy
for end-users to confirm the authenticity of their sites. Client
developers should consider the security implications of how they
interact with the user-agent (e.g., external, embedded), and the
ability of the end-user to verify the authenticity of the
authorization server.
Hardt Standards Track [Page 58]
RFC 6749 OAuth 2.0 October 2012
To reduce the risk of phishing attacks, the authorization servers
MUST require the use of TLS on every endpoint used for end-user
interaction.
No Comments